On February 26, the U.S. Department of Education issued guidance aimed at assisting schools and school districts when considering whether the use of online educational services and mobile applications complies with student privacy laws. The guidance consisted of two main components. First, the Department published a document entitled Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, which evaluates common privacy-related provisions in online Terms of Service and analyzes how they comply with student privacy requirements. Second, the Department produced a user-friendly, 10-minute training video directed to K-12 administrators, teachers, and staff about schools’ privacy obligations when using online educational services and applications. Finally, the guidance encourages school administrators to check the Student Privacy Pledge when considering whether to use online educational services in the classroom.
This follows Department of Education guidance issued almost exactly a year ago, which we summarized in a detailed Client Alert at the time, about the privacy obligations of schools and school districts when considering online service providers and applications. That guidance commented that schools should review online educational service providers’ online Terms of Service (TOS) prior to sharing student data with online services to determine whether the TOS are consistent with privacy requirements under laws like the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Protection of Pupil Rights Amendment (PPRA). Continue Reading
Following President Obama’s announcement last month that the administration would be proposing a consumer privacy bill of rights, the Obama Administration today posted its proposed legislation. Check back here soon for further information about the proposal.
To access the administration’s discussion draft “Consumer Privacy Bill of Rights Act,” click here.
The future of the s. 40 exemption
Undoubtedly one of the more mind-bending exemptions to apply under the Freedom of Information Act 2000 (FOIA) is the exemption for personal information (s.40) (although sections 30 and 36 are also up there!). This is partly due to s. 40’s close link with the Data Protection Act 1998 (DPA). Not one to hog the limelight, the DPA has typically been cited in past litigation as a secondary or even tertiary issue to the main action when there is a claim for breach of confidence or breach of privacy. This led to a scarcity of judicial rulings on the DPA prior to the FOIA. However, in the Tribunal and higher court decisions flowing from the FOIA, certain aspects of the DPA have frequently been examined when public authorities seek to rely on the s. 40 exemption. Consequently there have been a number of rulings on the scope of personal data and on the ‘legitimate interests’ ground as a legal basis for disclosing such information. These rulings have been based on the DPA which itself implements the EU Data Protection Directive 95/46/EC. But the Directive is due to be replaced by an EU Regulation in the next few years. What will this mean for how the s. 40 exemption under FOIA is interpreted? Continue Reading
On 24 February, the Russian State Duma (the lower chamber of the Russian Parliament) adopted in the first reading a draft law introducing amendments to the Russian Code on Administrative Offences (the Draft Law) that would increase the amount of the fines imposed for violating Russian data protection laws and introducing a differentiation of the relevant offences’ types. Notably, the Draft Law does not introduce any separate fine for violating Russia’s new Data Localization Law, although there is still a possibility that this could be modified as the legislative process progresses. Continue Reading
A recently-released research study published by Indiana University’s Bloomington School of Law highlights the rising importance of cybersecurity law and provides current insights on the role lawyers are playing to help protect companies from cyber threats. The study, entitled “The Emergence of Cybersecurity Law,” is based on a survey of corporate law departments as well as interviews conducted with lawyers, consultants, and academic experts. Continue Reading
In 2014, the Internet of Things (IoT) and big data were two of the hottest buzz words among privacy professionals. This year, “robotics” may be one of our oft-spoken words. In this post, we look at two of the challenges that robotics brings. One challenge facing privacy professionals is how to address potential privacy issues as autonomous robots powered by big data and network connectivity are brought into our personal spaces. Another, often equally challenging issue, is how to implement robotics in a legal and regulatory landscape that was designed, in many cases, for the relatively slow-paced technologies of the Internet where the chirps of dial-up modems broadcast our connections. Continue Reading
On February 15, the White House issued a Presidential Memorandum on safeguarding privacy, civil rights, and civil liberties in the domestic use of Unmanned Aircraft Systems (UAS). The memorandum launches a multi-stakeholder process to establish voluntary baseline privacy standards for commercial use of UAS and establishes principles that will govern the federal government’s use of UAS.
The Presidential Memorandum, which was issued in conjunction with the Federal Aviation Administration’s proposed framework of regulations for the use of certain small UAS, is the latest in a series of activities by policymakers to address privacy concerns associated with the use of UAS in governmental and civilian settings. In December, Sen. Jay Rockefeller (D-WV) released his proposed Unmanned Aircraft Systems Privacy Act of 2014, which would establish rules on data collection and use by UAS operators. Additionally, in the last two years, several states, including California, Idaho, Indiana, Louisiana, North Carolina, Oregon, Tennessee, Texas, and Wisconsin enacted privacy laws that impact commercial and private use of UAS. Numerous states also have passed laws restricting law enforcement use of UAS. Continue Reading
2014 was a very eventful year for data privacy regulation in Asia and there are reasons to believe that 2015 will represent a turning point for the region as established privacy regimes are toughened and new regimes enacted in recent years begin to mature.
The past year saw a number of significant regulatory developments, in particular the implementation of new, comprehensive “European-style” privacy laws in Singapore and Malaysia, the amendment of China’s consumer protection law to include data privacy principles and increased financial penalties in South Korea. Continue Reading
The specific websites that were investigated are not identified (as yet), however those selected were amongst the 250 most frequently visited by individuals within each member state taking part in the investigation (as ranked by Alexa.com). Sites in the media, e-commerce and public sectors were targeted in particular because they are perceived by the EU data protection regulators to present the greatest data protection and privacy risks to EU citizens. Continue Reading
Public atrocities always attract some kind of political reaction. Generally, the more brutal the atrocity, the harsher the reaction. It is understandable from the perspective of political responsibility. So when defenceless people are mercilessly attacked by gunmen as punishment for their satirical views, a very visible reaction is to be expected. However, political reactions to grave situations need not only visibility but measured thinking and careful decision-making. The reaction to a violent and criminal act can often have more far-reaching implications than the act itself, leading to an escalation of violence. At the same time, doing nothing to protect citizens from harm is not a responsible option. As with many political decisions, securing public safety is a balancing exercise of robustness and restraint. Continue Reading